The present disclosure relates generally to software security, and more particularly to methods and systems for managing security policies associated with software applications.
Computing systems use various security mechanisms to ensure that certain pieces of data can only be operated on in certain ways by certain applications. A computing system is typically managed by an operating system such as Linux. The operating system includes a kernel that controls access to computing resources. In some cases, the operating system may include additional security enforcement mechanisms.
One example of an additional security enforcement mechanism is found within Security-Enhanced Linux (SELinux). SELinux provides an additional level of security by disallowing operations unless they are explicitly allowed by a security policy that accompanies a particular application. The security policy for the application can be created during development of the application. Specifically, as code is added to perform various operations on various types of data, an “allow rule” is added to the security policy that tells the SELinux enforcement mechanism that the application is allowed to perform specific operations on specific types of data.
When an application is executed and attempts to perform a particular operation, the security enforcement mechanism within SELinux checks the accompanying security policy to make sure the application is allowed to perform that operation. If so, then the operation is allowed. If not, then a denial of that operation occurs. In the case of SELinux, the denial is an Access Vector Cache (AVC) denial, which gets logged. It is desirable that the security policies for various applications are appropriately managed.